On 04/25/2017 06:45 PM, Gordon Messmer wrote:
> On 04/25/2017 01:58 AM, Laurent Wandrebeck wrote:
>> Quick’n’(really) dirty SELinux howto:
>
>
> Alternate process:
>
> 1: setenforce permissive
> 2: tail -f /var/log/audit/audit.log | grep AVC
> 3: use the service, exercise each function that's constrained by the
> existing policy
> 4: copy and paste the output from the terminal used for #2 into
> "audit2allow -M <modulename>"
> 5: setenforce enforcing
>
> This process is less iterative, which can save a *lot* of time
> building some policies.
This made the same content as before that caused problems:
module myservice_policy 1.0;
require {
type dovecot_t;
type mysqld_etc_t;
type mysqld_t;
class unix_stream_socket connectto;
class file { getattr open read };
class dir read;
}
#============= dovecot_t ==============
allow dovecot_t mysqld_etc_t:dir read;
allow dovecot_t mysqld_etc_t:file { getattr open read };
#!!!! The file '/var/lib/mysql/mysql.sock' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/lib/mysql/mysql.sock
#!!!! This avc can be allowed using the boolean
'daemons_enable_cluster_mode'
allow dovecot_t mysqld_t:unix_stream_socket connectto;
What do these 3 comments mean? I don't think I want to restorecon for a
socket:
# ls -Z /var/lib/mysql
-rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 aria_log.00000001
-rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 aria_log_control
-rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 ibdata1
-rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 ib_logfile0
-rw-rw----. mysql mysql system_u:object_r:mysqld_db_t:s0 ib_logfile1
drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 mysql
srwxrwxrwx. mysql mysql system_u:object_r:mysqld_var_run_t:s0 mysql.sock
drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 performance_schema
drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 postfix
drwx------. mysql mysql system_u:object_r:mysqld_db_t:s0 roundcubemail
What does the 3rd comment mean?
thanks